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SPECIFICATION 



PUBLIC-KEY ENCRYPTION AND KEY-SHARING METHODS 



Background Art 



The present invention relates to a method for cryptographic 
communications using public-key cryptography and a key-sharing method. 

Diverse public-key cryptosystems have been proposed hereto- 
fore. Among them, the most famous and most practically used public-key 
cryptography is the method set forth in the following document: 

Reference document 1 "R. L. Rivest, A. Sharmir, L. Adleman: A 
method for obtaining digital signatures and public-key cryptosystems, 
Commun. of the ACM, Vol. 21, No. 2, pp. 120-126, 1978" 

Other methods using elliptic curves are known as efficient pub- 
lic-key cryptosystems, which are described in the following documents: 

- Reference document 2 "V. S. Miller: Use of Elliptic Curves in Cryp- 
tography, Proc. of Crypto'85, LNCS218, Springer-Verlag, pp. 417-426 
(1985)" 

- Reference document 3 "N. Koblitz: Elliptic Curve Cryptosystems, Math. 
Comp., 48, 177, pp. 203-209 (1987)" 

Further, there is known cryptography providing for provable 
security against chosen plaintext attacks such as: 

- Cryptography described in reference document 4 "M. 0. Rabin: Digital 
Signatures and Public-Key Encryptions as Intractable as Factorization, 



MIT, Technical Report, MIT/LCS/TR-212 (1979)" 

- Cryptography described in reference document 5 "T. ElGamal: A Pub- 
lic Key Cryptosystem and a Signature Scheme Based on Discrete Loga- 
rithms, IEEE Trans. On Information Theory, IT-31, 4, pp. 469-472 
(1985)" 

- Cryptography described in reference document 6 "S. Goldwasser: Prob- 
abilistic Encryption, JCSS, 28, 2, pp. 270-299 (1984)" 

Cryptography described in reference document 7 "M. Blum and S. 
Goldwasser: An efficient probabilistic public-key encryption scheme 
which hides all partial information, Proc. of Crypto'84, LNCS196, 
Springer-Verlag, pp. 289-299 (1985)" 

- Cryptography described in reference document 8 "S. Goldwasser and M. 
Bellare: Lecture Notes on Cryptography, http:/www-cse. ucsd. 
edu/users/mihir. (1997)" 

- Cryptography described in reference document 9 "T. Okamoto and S. 
Uchiyama, A New Public-Key Cryptosystem as Secure as Factoring, Proc. 
of Eurocrypt'98, LNCS1403. Springer Verlag, pp. 308-318 (1998)" 

Furthermore, there is known cryptography providing for prov- 
able security against chosen ciphertext attacks such as: 

- Cryptography described in reference document 10 "D. Dolve, C. Dwork 
and M. Naor.: Non-malleable cryptography, In 23rd Annual ACM sympo- 
sium on Theory of Computing, pp. 542-552 (1991)" 

Cryptography described in reference document 11 "M. Naor and M. 
Yung.: Public-key cryptosy stems provably secure against chosen cipher- 
text attacks, Proc. of STOC, ACM Press, pp. 427-437 (1990)" 

- Cryptography described in reference document 12 "M. Bellare and P. 



Rogaway, Optimal Asymmetric Encryption - How to Encrypt with RSA, 
Proc. of Eurocrypt' 94, LNCS 950, Springer Verlag, pp. 92-111 (1994)" 

- Cryptography described in reference document 13 "R. Cramer and V. 
Shoup: A Practical Public Key Cryptosystem Provably Secure against 
Adaptive Chosen Ciphertext Attack, Proc. of Crypt98, LNCS1462, 

Springer-Verlag, pp. 13-25 (1998)" 

Yet further, the equivalency between IND-CCA2 (Indistinguishablility 

(strong protection of secrecy) against Chosen Ciphertext Attacks Adaptive) and 
NM-CCA (Non-Malleability against Chosen Ciphertext Attacks Adaptive) is set 
forth in: 

- Reference document 14 "M. Bellare, A. Desai, D. Pointcheval and P. 
Rogaway: Relations Among Notions of Security for Public-Key Encryp- 
tion Schemes, Proc. of 

Cypto'98 LNCS1462, Springer Verlag, pp. 29-45 (1998)." 
At the present, public-key cryptograms satisfying this equivalency re- 
quirement is considered the most secure. 

The security of the cryptography disclosed in the reference 
document 1 is based on the assumption that a problem of factorization 
into prime numbers is difficult to solve, but the above equivalency is not 
discussed in this document. If the problem of factorization into prime 
numbers can be solved, then the cryptography of reference document 1 
can be broken; however, it is not proven that the reverse is also true. 
There remains a possibility that the cryptography of reference document 
1 be broken by solving a simpler problem than the problem of factoriza- 
tion into prime numbers. 

Moreover, because the cryptography of reference document 1 
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generates fixed cipher, encrypting a plaintext with the same key always 
generates the same ciphertext. If this cryptography is used as is, by de- 
tecting the sameness of a plurality of ciphertexts, it is knowable that the 
ciphertexts have been encrypted from the same original plaintext. To 
5 prevent this, another processing, that is, adding random number data to a 
ciphertext is required when such cryptography is practically used and 
this is disadvantageous in terms of efficiency. 

In contrast to this cryptography, for the cryptography disclosed 
in the reference document 9, it is proven that the possibility of breaking 

10 a ciphertext by a passive attack and recovering its original plaintext 
(complete deciphering) is equivalent to the difficulty of solving a prob- 
lem of factorization into prime numbers, which assures security. More- 
over, because of the probabilistic cryptography in which various cipher- 
texts may be generated from even the same plaintext, the cryptography of 

15 reference document 9 is free from the problem involved in the cryptogra- 
phy of reference document 1 and has no need of another processing for 
protection. 

According to the reference document 9, it is argued that seman- 
tic security against partial deciphering in the subject cryptography is 

20 also assured by reason of its equivalence to the difficulty of solving a p- 
subgroup problem defined in this document. However, this issue is not 
yet discussed sufficiently and that difficulty is not known. That is a dis- 
putable point. If an algorithm that solves the p-subgroup problem effi- 
ciently is found, then the partial deciphering of a ciphertext generated in 

25 accordance with the cryptography of reference document 9 can be per- 
formed efficiently and the semantic security cannot be assured. 
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Generally, to assure the security of ciphers, it is desirable to 
prove that deciphering is equivalent to solving such a problem as factori- 
zation into prime numbers or discrete logarithms for which difficulty in 
terms of computational quantity has been argued sufficiently. 
5 The cryptography described in the reference document 13 is 

such that a ciphertext is generated by using the cryptography described 
in the reference document 5 and "message information" that someone else 
cannot create without knowing the original message as was before being 
kO encrypted is added to the ciphertext. Mechanism of ciphertext accep- 

y3 10 tance is as follows: only if this message information matches the re- 
fti ceived ciphertext, the ciphertext is handled as a valid one; if not, the ci- 

QR phertext is rejected. The quantity of this message information to be 

S3 processed is rather great. 

ill Meanwhile, due to the popularization of mobile terminal de- 

C 15 vices for information processing and the development of network envi- 
ronments, it is anticipated that the opportunity of conducting electric 
commerce using these mobile terminal devices increases. The computa- 
tional ability of these small information devices is limited, whereas the 
devices, if worked for electric commerce, must process a large amount of 
20 data for complex protocols of electric commerce. Therefore, reducing 
the computational load may be preferable to reducing the data amount for 
encryption. 

Disclosure of the Invention 

25 



It is an object of the present invention to provide a public-key 
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encryption method for security-provable and highly efficient encryp- 
tion/decryption processing. 

In accordance with the present invention, such a public-key en- 
cryption method is provided that OW-CPA (One-Way against Chosen 
Plaintext Attacks) and IND-CPA (Indistinguishablility (strong protection 
of secrecy) against Chosen Plaintext Attacks) are provable on the pre- 
supposition that the computational complexity of a problem employed in 
the method is more difficult than previously known cryptography. Based 
on this method, further, a public-key encryption method that IND-CCA2 
or NM-CCA2 is provable is provided. 

The encryption method according to the present invention has 
the following features: the number of modular products that increase 
computational quantity during encryption/decryption processing is less 
than the previous cryptographic techniques; and high-speed processing is 
enabled. 

It is other objects of the present invention is to provide an en- 
cryption method using a public-key and a decryption method, a key dis- 
tribution method and a key-sharing method using the above methods, and 
a program, devices, or a system for implementing these methods, whereby 
the computational load for both encrypting data to send and decrypting 
the encrypted data is reduced and high-speed processing is enabled even 
if these methods are applied to devices with limited computational abil- 
ity such as mobile terminal devices for information processing. 

To achieve the foregoing objects, the present invention com- 
prises means for implementing the following: 

(1) Composing procedures for encryption and decryption to have both 
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the feature of the cryptography (Rabin's Cryptosystem) described in the 
reference document 4, that is, one-way against chosen plaintext attacks 
(OW-CPA) and the feature of the cryptography (ElGamal's Cryptosystem) 
described in the reference document 5, that is, indistinguishability 
(strong protection of secrecy) against chosen plaintext attacks (IND- 
CPA). Furthermore, selecting small plaintext space without making se- 
cret information known. 

Specifically, for finite group G = (Z/N)* (n = p d q) that is de- 
fined to form a basic part of cipher, plaintext space (0, 2 k " 2 ) (where k 
|pq|) is set. 

(2) In the public-key encryption method set forth in the above item (1), 
on the presupposition that a random function (ideal) is made public, exe- 
cuting calculation by exclusive OR and data coherence for a plaintext 
and random number data, assigning a result obtained from this calcula- 
tion to a random function H and calculating the random function H, and 
again executing calculation by exclusive OR and data coherence for the 
plaintext, random number data and a result obtained from the random 
function H. 

Preferably, one embodiment of the method comprises the fol- 
lowing: 

[Key generation] 

Key generation comprising: 

generating a secret key (p, q, s, p") consisting of elements p, q, s, and (3, 
where: 

- p and q are prime numbers, p = 3 (mod 4), q s 3 (mod 4); 
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- s e Z, gh 3 s 1 (mod pq); 

- P £ Z, cc|3 = 1 (mod 1cm (p - 1, q - 1)), 

and 

5 generating a public key (n, g, h, k, 1, a) consisting of elements n, g, h, k, 
1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 £ Z (0 < g, h < n); 

- n = p d q (where d is an odd number) 
55 [Encryption] 

il 10 Encryption which the sender conducts comprising: 

m calculating the following equation with regard to a plaintext m (m G {0, 

I 1 > B ) : 

\l 

pj m, = (mO kl © G (r)) ||(r © H (m0 kl © G(r))) (0 < m, < 2 k " 2 ) 

p 15 (where 0 < r <2 k0 , G: {0, l} k0 -> {0, l} 5 + kl , H: {0, l} 6 + kl {0, l} k0 
are suitable random functions, subject to 0 < m, < 2 ) 

calculating a Jacobi symbol a = (m 1 /n) and the following equations: 

20 C = mfY' mod n, D = h r ' mod n 

and 

sending the ciphertext (C, D, a) to said receiver. 
[Decryption] 

25 Decryption which the receiver conducts comprising: 

calculating the following from the ciphertext (C, D, a), using the re- 



ceiver's secrete key (p, q, s, P): 



m liP — (CD a ) mod p, 
m hg = •(CD , ) S ^ til mod q 



finding x that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 from among <p 
(m i, p , m i, q ), <j> (-m p , m j, 0 (m i, p , -m !t q ), 0 (-m j, p , -m i ; q ) and 
determining the x as m'i (where 0 represents ring isomorphism mapping 
from Z/(p) x Z (q) to Z/ (pq) according to Chinese remainder theorem); 
and 

calculating the following, assuming m'i = s'||t' (where s' is upper n bits 
of m'i and t' is lower k 0 bits thereof): 




[s' © G(f © H(s'))] n - k > if [ef © G{? © H {s'))] kl = 0* 1 



thereby obtaining the result of decryption (where, [a] n and [a] n represent 
upper n bits and lower n bits of the a, respectively). 

An asterisk (*) as the result of decryption denotes that decryp- 
tion is unsuccessful. If decryption from a ciphertext is unsuccessful, 
there is a possibility that the ciphertext is intended for attack. Thus, the 
decryption procedure is arranged so that no plaintext message will be 
output as the result of unsuccessful decryption, whereby chosen cipher- 
text attacks can be repelled. 

For actual operation, because the assumed ideal random func- 
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lion is impractical, a practical one-way function is used and a cipher 
provided with both practicability and security is composed. Clarifying 
the security difference between ciphers generated by using the practical 
one-way function and ciphers generated by using the assumed ideal ran- 
5 dom function is the subject for future study. However, because ciphers 
generated by using the practical one-way function are a version of cryp- 
tography that is approximate to the cryptography with proven security, it 
is expected that a certain degree of security is assured. For information 
about this, refer to "Okamot, Fujisaki, Uchiyama: New Public-Key Cryp- 
10 tography, Information Processing Vol. 40. No. 2, pp. 170-173 (1999. 2)." 

Brief Description of Drawings 

FIG. 1 is a diagram showing a system configuration for illustra- 
15 tive embodiments of the present invention. 

FIG. 2 is a diagram showing the internal configuration of a 
storage medium with computing capability in an embodiment of the pre- 
sent invention. 

FIG. 3 is a table for comparing the present invention with typi- 
20 cal practical public-key cryptosystems in terms of efficiency (the number 
of modular products) and security. 

Best Mode for Carrying Out the Invention 
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In the following description of embodiments of the invention, 
the encryptor is referred to as the sender, the decryptor as the receiver, 
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and plaintext data to be encrypted is referred to as data to send. Illustra- 
tive cases of cryptographic communications will be discussed, assuming 
that the sender A of a message and the receiver B of the message respec- 
tively work the sender-end device and the receiver-end device and data to 
send is transferred from the sender to the receiver. 

FIG. 1 is a diagram showing a system configuration for em- 
bodying the present invention in illustrative embodiments. To a network 
(which is also referred to as a communication line) 300, a computer op- 
erated by the encryptor (which is also referred to as an encryptor-end de- 
vice or sender-end device) 100, a computer operated by the decryptor 
(which is also referred to as a decryptor-end device or receiver-end de- 
vice) 200, and a computer operated by a third party (which is also re- 
ferred to as a third-party's device) 400 are connected. 

The encryptor-end device 100 and the decryptor-end device 200 
each comprise a CPU (101, 201), a memory (102, 202) consisting of a 
secondary storage device such as a semiconductor storage device or a 
hard disk, a communication device (103, 203), and a bus (104, 204). In 
addition, a display (106, 206) and a keyboard (107, 207) are connected to 
the bus (104, 204). An IC card reader/writer 105, 205 that enables com- 
munication with an IC card possessed by the encryptor or the decryptor is 
connected to the bus 104, 204. 

In the memory 102 of the encryptor-end device 100, the follow- 
ing are to be stored: kinds of data elements which will be mentioned in 
illustrative embodiments of the invention which will be set forth later; 
program instructions (referred to as means) to be executed by the CPU 
101; plaintext data (data to send) which is input via the keyboard 107, a 
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portable storage medium or the communication line 300 and to be en- 
crypted; and a ciphertext to be transmitted. 

In the memory 202 of the decryptor-end device 200, the follow- 
ing are to be stored: kinds of data elements which will be mentioned in 
illustrative embodiments of the invention which will be set forth later; 
program instructions (referred to as means) to be executed by the CPU 
201; a ciphertext which is decrypted to its original plaintext; and the 
plaintext data (data to send) which is recovered by decryption and output 
to the display 206 or the communication line 300. 

In the embodiments of the present invention, the receiver gen- 
erates secret data and public data, using a key generating means 2001 in 
the receiver-end device 200. The public data is output via the communi- 
cation line 300 or the like and transferred to the sender-end device 100 
or made public. As the method of making the data public, a well-known 
method can be used; for example, registering the data on a public data 
management facility operating on the third party's device 400. Other 
data is stored into the memory 202. 

An encrypting means 1004 in the sender-end device 100 gener- 
ates random numbers, using a random-number generating means 1001 and 
executes calculations based on public data 2006 obtained from the third- 
party's device 400 or the receiver-end device 200, using an exponentiat- 
ing means 1002 and a modulo arithmetic means 1003. Moreover, using a 
communication device 103, the sender-end device can send a ciphertext 
to the receiver-end device 200 over the communication line 300. 

A decrypting means 2004 in the receiver-end device 200 de- 
crypts the received ciphertext, based on the above-mentioned secret data 
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2007 retained in the device, using an exponentiating means 2002 and a 
modulo arithmetic means 2003. 

Then, illustrative embodiments will be described below, 
wherein processes are carried out by the appropriate means as instructed 
directly or indirectly by the operator (sender or receiver) of the subject 
device. 

(Embodiment 1) 

Embodiment 1 will be described below, assuming that the 
sender A of a message transmits data to send m to the receiver B by cryp- 
tographic communication. 
1. Keg generation process 

The receiver B, in advance, generates secret data (H, s, a" 1 ) 
consisting of elements H, s, and a" 1 , where: 

- H is a subgroup of G; 

- s £Z, gh 3 = 1 (6G); 

- a" 1 G Z, 

(wherein a' 1 is the inverse element of a in a ring to modulus an order of 
the finite group H) 

and generates public data (G, H', g, h, a) consisting of elements G, H', g, 
h, and a, where: 

- G is a finite Abelian group; 

- H' is a subgroup of H; 
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- g, h £ G; 

- a e ZD 

2. Encryption and decryption processes 

(1) The sender A generates a random number r with regard to a plaintext 
m (€E H') and calculates the following: 

C = m a g r , D = h r G) 

Then, the sender obtains the above public data from the third 
party or the receiver B and calculates additional data a which ensures 
that a ciphertext is uniquely decrypted to its plaintext. 

Furthermore, the sender sends a ciphertext (C, D, a) to the re- 
ceiver-end device 200. 

(2) The receiver B calculates the following from the ciphertext (C, D, a), 
using the elements of (s, a" 1 ) of the above secret data retained: 

m = (CD 3 )"' 1 (e H) 

and calculates the original plaintext m from the additional data a. 

(Embodiment 2) 

Embodiment 2 comprises concrete procedures that specify how 
to give the finite Abelian group G and subgroup H mentioned in Embodi- 
ment 1 and how to generate additional data a. 
1. Key generation process 
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The receiver B, in advance, generates secret data (p, q, s, |J) 
consisting of elements p, q, s, and |3, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s G Z, gh 3 m 1 (mod pq); 

- p G Z, ap - 1 (mod 1cm (p - 1, q - 1)), 

and generates public data (n, g, h, k, 1, a) consisting of elements n, g, h, 
k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 £ Z (0 < g, h < n); 

- n = p d q (where d is an odd number) 



fsl 2. Encryption and decryption processes 

p 15 (1) The sender A generates a random number r (0 ^ r ^ 1) with regard 
to a plaintext m (0 < m < 2 k " 2 ) and calculates the following: 

C = m 2a g r mod n, D = h r mod n 

20 Then, the sender obtains the above public data and calculates a 

Jacobi symbol a = (m/n) (for information about how to define and calcu- 
late Jacobi symbols, descriptions are given in, for example, a reference 
document "Sadaharu Takagi: Lecture on Elementary Theory of Numbers, 
Iwanami-shoten"). 

25 Furthermore, the sender sends a ciphertext (C, D, a) to the re- 

ceiver-end device 200. 
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(2) The receiver B calculates the following from the ciphertext (C, D, a), 

using the above secrete key (p, q, s, P) retained: 

mi, p = [CD*)-^^ modp, 
m lt5 = (CD 3 )-^ mod q 

and finds one that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 from 
among <j> (m p , m (> 0 (-m i, p , m ls 0 (m u p , -m i, q ), 0 (-m u p , -m i, 
q ) and determines the one as the plaintext m (where $ represents ring 
isomorphism mapping from Z/(p) x Z (q) to Z/ (pq) according to Chinese 
remainder theorem). 

In the method according to Embodiment 2, both one-way and 
indistinguishablility (strong protection of secrecy) against chosen plain- 
text attacks are provable. 

Specifically, on the presupposition that deciphering equals 
solving a more difficult problem than the problem of factoring n into 
prime numbers, it can be proven that complete deciphering is impossible. 
To elucidate this, if there exists an algorithm to solve a problem (more 
difficult than the problem of factoring n into prime numbers), an algo- 
rithm for complete deciphering of a ciphertext generated in the method of 
Embodiment 2 can be composed by using the former algorithm. Con- 
versely, if there exists an algorithm for complete deciphering of a ci- 
phertext generated in the method of Embodiment 2, an algorithm to solve 
a problem (more difficult than the problem of factoring n into prime 
numbers) can be composed by using the former algorithm. 

Furthermore, on the presupposition that a "constrained Diffie- 
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Hellman decision problem" is difficult to solve, indistinguishablility 
(strong protection of secrecy) can be proven. Hereupon, to elucidate the 
"constrained Diffie-Hellman decision problem," the following probability 
distribution is assumed: 

Do : (h, g, h r , g r ), 0 < r < 1, 

D x : (h, g, h r , Xg r ), X = (x/x') 2a mod n, 0 < x, x' < 2 k " 2 

Now, there is any sequence from D 0 or From which the sequence ex- 

ists is the question to answer. 

In the cryptography according to the present invention, it is 
proven that calculating the plaintext m from the ciphertext (C, D, a) is 
more difficult than a problem of factorization into prime numbers. To 
elucidate this, if there exists an algorithm to calculate the plaintext m 
from the ciphertext (C, D, a) in Embodiment 2, an algorithm to solve the 
problem of factorization into prime numbers can be composed by using 
former algorithm. Conversely, even if there exists an algorithm to solve 
the problem of factorization into prime numbers, an algorithm to calcu- 
late the plaintext m from the ciphertext (C, D, a) in the cryptography of 
the present invention remains unknown as it cannot be derived from the 
former algorithm. In this sense, the security against complete text deci- 
phering is more difficult than the problem of factorization into prime 
numbers. 

Proof is implemented as follows. Input any ciphertext to the 
algorithm for calculating the plaintext m from the ciphertext (C, D, a). 
From its output result, for composite numbers n that become bases with 
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non-negligible probability, factor n into prime numbers. In respect of 
this development, this proof is similar to the proof in the cryptography 
disclosed in the reference document 4. This processing is further eluci- 
dated below. 

5 

- Assume that there exists a probabilistic polynomial time algorithm Adv 
that can compute the plaintext m from the ciphertext (C, D, a) with non- 
negligible probability. Then, it is shown that the probabilistic polyno- 

™5 mial time algorithm A which can factor n into prime factors with non- 

Qi 

~fi 10 negligible probability can be constructed by using Adv as an oracle. 

p= - The algorithm A is as follows. For the public key (a, n, g, h, 1) in the 

» offered method, evenly select m' E Z (0 < m' < 2 k " 2 ), r' £ Z (0 < r' < 1), 

f=s and a' €E {-1, 1} and calculate the following: 

*U C = m' 2a g r ' mod n, D' = h r ' mod n 

p lb Then, input C, D', and a' to the algorithm Adv. 

- Since a ciphertext (C, D', a') consisting of elements of C , D', and a' 
has the same probability distribution as for the true ciphertext, then, the 
algorithm Adv outputs plaintexts, one of which is the original form of 
the ciphertext (C, D', a') with non-negligible probability. 

20 - Assume that four solutions of the square root of m' 2 mod {pq} are mi, 
m 2 , m 3 , m 4 and m a + m 2 = 0 mod {pq} and m 3 + m 4 = 0 mod {pq} are ful- 
filled. 

- Then, since the range in which the true plaintext is recovered from the 
ciphertext (C, D', a') by decryption of the algorithm Adv is an open in- 

25 terval (0, 2 k ~ 2 ), plaintext candidates are restricted to two ones. 

The remaining two plaintext candidates have different values of the 
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Jacobi symbol. Hence, if constraint $(m'/n) * a' is fulfilled for Jacobi 
symbol a' that the algorithm A arbitrarily selected, the algorithm A can 
obtain an unknown plaintext from the algorithm Adv. 

- Hence, with regard to output m" of the Adv, factoring n into prime 
numbers from gcd (m' -m", n) is successful with probability of 1/2. 

Furthermore, the security against partial deciphering of the 
cryptography according to the present invention is equivalent to the dif- 
ficulty of solving the constrained Diff ie-Hellman decision problem. The 
proof thereof is generally the same as the way of proving that the ElGa- 
mal's Cryptosystem is indistinguishable (strong protection of secrecy), 
presupposing the difficulty of Diffie-Hellman decision problem. 

To elucidate this, such proof is given by confirming that" if 
there exists an algorithm to solve the constrained Diffie-Hellman deci- 
sion problem, an algorithm to make a correct inference of b e {0, 1} (the 
result of a tossup executed by the encryption oracle) with non-negligible 
probability can be composed" and that "if there exists an algorithm to 
make a correct inference of b with non-negligible probability, the con- 
strained Diffie-Hellman decision problem can be solved by using the al- 
gorithm." 

(Embodiment 3) 

Preferably, a plaintext m should be composed to include check 
data for verifying the recovery of true information by decryption in addi- 
tion to a message text that the sender wants to transmit to the receiver. 
Thereby, further measures against chosen ciphertext attacks can be taken 
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for the public-key encryption methods of Embodiments 1 and 2. 

Specifically, the sender composes a plaintext m including a 
predetermined redundant text in addition to the message text that the 
sender wants to transmit to the receiver and encrypts the plaintext by fol- 
lowing the encryption procedure set forth in Embodiment 1 (or Embodi- 
ment 2). The receiver conducts decryption to recover the plaintext m by 
following the decryption procedure set forth in Embodiment 1 (or Em- 
bodiment 2), when the receiver verifies that the predetermined redundant 
text exists (unless the predetermined redundant text exits, decryption is 
regarded as unsuccessful). Redundancy can be provided in such a way, 
for example, as to include one or more duplications of the message that 
the sender wants to transmit in the plaintext. 

Alternatively, the sender composes a plaintext m including a 
message having predetermined meaning in addition to the message text 
that the sender wants to transmit to the receiver and encrypts the plain- 
text by following the encryption procedure set forth in Embodiment 1 (or 
Embodiment 2). The receiver conducts decryption to recover the plain- 
text m by following the decryption procedure set forth in Embodiment 1 
(or Embodiment 2), when the receiver verifies that the contents of the 
message having predetermined meaning are correct (if the contents of the 
message having predetermined meaning are incorrect, decryption is re- 
garded as unsuccessful). 

The means for the above processing are integrated into the en- 
crypting means 1004 and the decrypting means 2004. 

By applying the method described above, the public-key en- 
cryption methods of Embodiments 1 and 2 can provide for security to a 
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certain degree even against chosen ciphertext attacks. (Other methods in 
which the security against chosen ciphertext attacks is provable will be 
described in further illustrative embodiments.) 

(Embodiment 4) 

In Embodiment 4, based on the cryptographic communications 
method described in Embodiment 1, further, a practicable one-way func- 
tion is incorporated into the method. In this way, key-sharing between 
the sender and the receiver (that is, distributing a key for use in a com- 
mon key encryption method) key distribution can be achieved. Moreover, 
environments are created that exclude chosen ciphertext attacks which 
are attacks in an active manner and thus the security against active at- 
tacks are assured. 

In Embodiment 4. additionally, a one-way function means 2008 
is provided in the sender-end device 100. An application A program 
1005 and an application B program are provided as shown in FIG. 1, 
which respectively implement the functions of encrypting and decrypting 
data that is simultaneously or separately transferred therebetween by us- 
ing a key distributed (or shared). 

1. Key generating process 

As is the case in Embodiment 1, the receiver B generates secret 
data (H, s, a" 1 ) and public data (G, H', g, h, a). At the same time, the 
receiver defines a one-way function f as public data. 

2. Key distribution process 

As is the case in Embodiment 1, the sender A calculates a ci- 
phertext (C, D, a) and sends it to the receiver-end device 200 of the re- 
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ceiver B. Moreover, the sender calculates a shared key K = f (m) from 
the one-way function f which is public data, using the one-way function 
means 2008. The application A program 1005 executes calculation for 
encryption, using the common key K, as required. 
5 By following the same procedure set forth in Embodiment 1, the 

receiver B calculates the original plaintext m from the ciphertext (C, D, 
a). Moreover, the receiver calculates the shared key K from the public 
data f in accordance with K = f (m), using the one-way function means 
2008. The application B program 2005 executes calculation for decryp- 

10 tion, using the common key K, as required. 

In Embodiment 4, by using the incorporated one-way function 
as described above, the data to send m itself is not output to the external. 
Thus, safe environments can be created that exclude chosen ciphertext 
attacks even if the transmitted ciphertext is intended for attack, that is, 

15 the environments are secure even against active attacks. 

In the embodiment arranged such that a message as such is 
transmitted by using the public-key encryption method according to the 
present invention, the application B program 2005 in the present em- 
bodiment interprets the decrypted message in accordance with a prede- 

20 termined rule. If the program determines that a meaningless message has 
been decrypted, it makes the message erased without outputting to an ex- 
ternal device, so that environments excluding active attacks can be cre- 
ated. 
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(Embodiment 5) 

Embodiment 5 comprises concrete procedures that specify how 



to give the finite Abelian group G and subgroup H mentioned in Embodi- 
ment 1 and how to generate additional data a, as described in Embodi- 
ment 2, with regard to the key-sharing method described in Embodiment 
4. 

1. Key generating process 

As is the case in Embodiment 2, the receiver B generates secret 
data (p, q, s, |3) and public data (n, g, h, k, 1, a) (where k is the bit 
length of pq). Moreover, the receiver defines a one-way function f as 
public data. 

2. Key distribution process 

The sender A calculates a ciphertext (C, D, a) in the same way 
as in Embodiment 2 and sends it to the receiver-end device 200. More- 
over, the sender calculates a shared key K = f (m) from the one-way 
function f in the same way as in Embodiment 4. The application A pro- 
gram 1005 executes calculation for encryption, using the common key K, 
as required. 

The receiver B calculates the plaintext m in the same way as in 
Embodiment 2. Moreover, the receiver calculates the shared key K = f 
(m) in the same way as in Embodiment 4. The application B program 
2005 executes calculation for decryption, using the common key K, as 
required. 

(Embodiment 6) 

With the aim of improving the decryption process, Embodiment 
6 uses the cryptography described in the reference document 4 as the ba- 
sis and converts it to a method that is defined in a multiplicative group 
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determined from a ring of remainders modulo n = p d q (where d is an odd 
number of 3 or greater). Further conversion is made to a public-key en- 
cryption method in which the indistinguishability (strong protection of 
secrecy) against adaptive chosen ciphertext attacks is provable in accor- 
dance with the method described in the reference document 12. 

1. Key generation process 

As is the case in the foregoing embodiments, the receiver B, in 
advance, generates secrete data (p, q, |3) consisting of elements p, q, and 
p, where: 

- p and q are prime numbers, p s 3 (mod 4), q = 3 (mod 4); 

- p £ Z, = 1 (mod 1cm (p - 1, q - 1)), 

and generates public data (n, k, a) consisting of elements n, k, and a (k 
is the bit length of pq), where: 

- a, k €= Z; 

- n = p d q (where d is an odd number) 

2. Encryption and decryption processes 

(1) The sender A selects a random number r (0 < r <2 k0 ) with regard to a 
plaintext m (m G {0, l} 5 ) and calculates the following: 

m a = (m0 kl © G (r)) ||(r © H (m0 kl © G(r))) (0 < m, < 2 k ' 2 ) 

(where G: {0, l} k0 — {0, 1} S + kl , H: {0, l} 8 + kl — {0, l} k0 are suitable 

random functions, subject to 0 < mj < 2 k " 2 ) 



Then, the sender obtains the above public data and calculates a 
Jacobi symbol a = (m,/n) and the following: 



C = mi 2a mod n 

Furthermore, the sender send a ciphertext (C, a) to the re- 
ceiver-end device 200. 

(2) The receiver B calculates the following from the ciphertext (C, a), 
using the above secret data (p, q, P) retained: 

m\ tP = C * mod p, 
m 1(9 = C * mod? 

and finds x that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 from among 
4> (m i, p , m i, q ), (p (-m t , p , m i, q ), <f> (m u p , -m t> q ), 4> (-m i, p , -m i, q ) and 
determines the x as the x as m'i (where § represents ring isomorphism 
mapping from Z/(p) x Z (q) to Z/ (pq) according to Chinese remainder 
theorem). 

Furthermore, using the arithmetic means 204, the receiver cal- 
culates the following, assuming m'i = s'||t' (where s' is upper n bits of 
m'i and t' is lower k 0 bits thereof): 



m' = 
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' [s' © G(t r © ff (s'))] n ~ kl i f t 5 ' © ^ ® ff C«0)]*i = ° il 

otherwise 



(where [a] n and [a]„ represent upper n bits and lower n bits of the a, re- 
spectively. An asterisk (*) as the result of decryption denotes that de- 
cryption is unsuccessful.) 

thereby obtaining the result of decryption. 

If decryption from a ciphertext is unsuccessful, there is a pos- 
sibility that the ciphertext is intended for attack. Thus, the receiver-end 
device 200 does not output the plaintext message as the result of such 
decryption to make chosen ciphertext attack impossible. In this case, the 
receiver-end device 200 may be arranged to output nothing as the result 
of unsuccessful decryption or report that decryption is unsuccessful. 

For the above method, the indistinguishability (strong protec- 
tion of secrecy) against adaptive chosen plaintext attacks are provable, 
due to that the difficulty of deciphering is equivalent to the difficulty of 
solving the problem of factoring n in to prime numbers, as proven for 
(deterministic) public-key ciphers composed from trapdoors permutation 
for general use in the reference document 12, 

In Embodiment 6, computation for obtaining a modular product 
is executed three times (assuming a = 3) during the encryption process 
and decryption computation is executed in a multiplicative group from a 
ring of remainders modulo pq that is smaller than n. Thus, processing at 
higher speed than in the previous cryptographic methods is achieved. 
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(Embodiment 7) 

Embodiment 7 converts the method of Embodiment 2 to a pub- 
lic-key encryption method in which the indistinguishability (strong pro- 
tection of secrecy) against adaptive chosen plaintext attacks is provable 
in accordance with the method described in the reference document 12. 

1. Key generation process 

As is the case in Embodiment 2, secret data (p, q, s, (3) and 
public data (n, g, h, k, 1, a) are generated. 

2. Encryption and decryption processes 

The sender A calculates mi with regard to a plaintext m (0 < m 
< 2 8 ) in the same way as in Embodiment 6. Then, the sender calculates C 
and D with regard to mi in the same way as the calculation with regard to 
the plaintext m in Embodiment 2. Furthermore, the sender obtains the 
above public data and calculates a Jacobi symbol a = (mi In). The 
sender sends a ciphertext (C, D, a) to the receiver-end device 200. 

The receiver B executes the same calculation as in Embodiment 
2 from the ciphertext (C, D, a), using the above secret data (p, q, s, p) 
and thus obtains m i, p , m i, q . The receiver finds one that fulfills condi- 
tions (x/n) = a and 0 < x < 2 k " 2 from among <j> (m u p , m u q ), 4> (-m i, p , m 
q )> <P (m i, p , -m q ), <p (-m i, p , -m 1; q ) and determines the one as rn'i. 
Furthermore, the receiver calculates the following, assuming m'i = s'||t' 
(where s' is upper n bits of m'i and t' is lower k 0 bits thereof): 
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' [s 1 ®G{t'® i?(5'))] n " fcl » W ® G{H ® #V))k = 0*> 

otherwise 



thereby obtaining the result of decryption. 

In the method according to Embodiment 7, it is provable that 
encrypted information is IND-CCA2 on the presupposition that decipher- 
ing equals solving a more difficult problem than the problem of factoring 
n into prime numbers. 

The table in FIG. 10 lists data indicating efficiency (the num- 
ber of modular products) and security for comparing Embodiment 8 of the 
present invention where it is assumed that a = d = 3 with typical and 
practical public-key cryptosystems. As regards the method of the inven- 
tion, the number given in the parentheses is the result from preprocessing 
executed if practicable. Most of the data in FIG. 10 was excerpted from 
the reference document 9. 

(Embodiment 8) 

Embodiment 8 is a modification to Embodiment 7. 

1. Key generation process 

As is the case in Embodiment 7, secret data (p, q, s, P) and 
public data (n, g, h, k, 1, a) are generated. 

2. Encryption and decryption processes 

The sender A selects a random number r (r E {0, l} k0 ) with re- 
gard to a plaintext m (m £ {0, 1} & ) and calculate the following: 
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m n = (m © G (r)) ||(r © H (m © G(r))) (0 < mi < 2 k ' 2 ) 

(where, G: {0, 1} k0 — {0, 1} 6 + H: {0, 1} 6 + kl — {0, 1} k0 are suit- 
able random functions, subject to 0 < mi < 2 k " 2 .) 
5 Then, the sender obtains the above public data and calculates a 

Jacobi symbol a = (rrii/n) and the following: 

C = mf" g F(ml) mod n, D = h F(ml) mod n 
where, F: {0, 1} 8 + k0 + kl -> {0, 1} 1 is a suitable random function. 

Furthermore, the sender sends ciphertext (C, D, a) to the re- 
10 ceiver-end device 200. 

The receiver B executes the same calculation as in Embodiment 
7 from the ciphertext (C, D, a), using the above secret data (p, q, s, (3), 
and finds one that fulfills conditions (x/n) = a and 0 < x < 2 k ' 2 from 
among 4> (m i, p , m q ), 4> (-m u p , m i, q ), 0 (m i, p , -m i, ,), <t> (-m i, p , -m h 
15 q ) and determines the one as m' ]. Then, the receiver calculates the fol- 
lowing, assuming m'j = s'||t' (where s' is upper n bits of m'] and t' is 
lower k 0 bits thereof): 



m' — < 



* otherwise 



20 where, C and D' are .obtained by: 

C = m\ 2a g F < m,1 > mod n, D' = h F(n,,1) mod n 
thereby obtaining the result of description. 

In the method according to Embodiment 8, it is provable that 
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encrypted information is IND-CCA2 on the presupposition that decipher- 
ing equals solving a more difficult problem than the problem of factoring 
n into prime numbers. 

Furthermore, a longer plaintext can be encrypted in the method 
of Embodiment 8 as compared with the method of Embodiment 2. 

(Embodiment 9) 

Embodiment 9 is a modification to Embodiment 7. 

1. Key generation process 

Key generation is carried out in the same way as in Embodi- 
ment 7. 

2. Encryption and decryption processes 

The sender A selects a random number r (r €E {0, l} k0 ) with re- 
gard to a plaintext m (m G {0, 1} 6 ) and calculates the following: 

mi = m|| r 

where, F: {0, 1} 5 + k0 -» {0, 1} 1 is a suitable random function, subject to 
0 < mi < 2 k ' 2 . 

Then, the sender obtains the above public data and calculates a 
Jacobi symbol a = (mi/n) and the following: 

C = m 1 2a g F(ral) mod n, D = h F(ml) mod n 

Furthermore, the sender sends a ciphertext (C, D, a) to the re- 
ceiver-end device 200. 
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As is the case in Embodiment 8, the receiver B obtains m !; p , m 
i, q from the ciphertext (C, D, a), using the above secret data (p, q, s, 
The receiver finds one that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 
from among 0 (m p , m K q ), <j> (-m ( , p , m q ), 0 (m j, p , -m [, <p (-m i, p , 
-m t; q ) and determines the one as m'i. Furthermore, the receiver calcu- 
lates the following: 



1 * others 



((?,£>) = (CD') 

m' = < 

otherwise 



where, C and D' are obtained by: 
10 C = m'r" g F(n,,1) mod n, D' = h F(n,,1) mod n 
thereby obtaining the result of decryption. 

In the method according to Embodiment 9, it is provable that 
encrypted information is IND-CCA2 on the presupposition that decipher- 
ing equals the difficulty of solving the constrained Diffie-Hellman deci- 
1 5 sion problem. 

Furthermore, a longer plaintext can be encrypted in the method 
of Embodiment 9 as compared with the method of Embodiment 2. 

(Embodiment 10) 

20 Embodiment 10 comprises the descriptions of a decryption 

method for augmenting the computational efficiency on the receiver end, 
based on Embodiments 8 and 9. 

The receiver calculates the following: 



C' p = m\ 2a g F(n,,1) mod p d C\ = m' a 2a g F(n,,1) mod q 
D' p = h F(m ' !) mod p d D' q = h V(m ' 1} mod q 

and verifies that (C, D) = (C, D'), pursuant to: 
C - C' p (mod p d ) C = C' q (mod q) 
D b D' p (mod p d ) D = D' q (mod q) 

In accordance with Embodiment 10, integers as bases that de- 
termine a multiplicative group which is determined from a ring of re- 
mainders become small, and thus high-speed processing can be achieved. 

(Embodiment 11) 

As an alternative to the ciphertext calculation process in the 
foregoing embodiments, it is feasible that calculation to obtain m' is 
executed on a storage medium 500 with computing capability possessed 
by the sender and the resulting value of m' is transferred to the sender- 
end device 100 for ciphertext calculation. 

FIG. 2 shows the internal configuration of the storage medium 
500 with computing capability (for example, an IC card or a computer- 
ized card). The storage medium 500 with computing capability comprises 
a CPU 501, a memory 502 consisting of a storage device such as a semi- 
conductor storage device, I/O 503, and a bus 504. To the memory 502, 
kinds of data and program instructions (referred to means) to be executed 
by the CPU 501 are input via the I/O 503. Plaintext data (data to send) 
which is to be encrypted is stored into the memory 502. 

In the present embodiment which will be described later, an en- 
crypting means 5004 in the storage medium 500 with computing capabil- 
ity executes calculation to obtain m' as an intermediate calculation result 



from a plaintext m, using the above-mentioned public data 2006 retained 
on the memory 502, together with an exponentiating means 5002 and a 
modulo arithmetic means 5003, and transfers the resulting value of m' to 
the sender-end device 100. 

The feature of this way of embodiment is as follows. Accord- 
ing to this method, a message m generated in the IC card 500 is so secure 
that it is not made known even to the sender-end device 100, into the slot 
of which the card is inserted. At the same time, a ciphertext can be gen- 
erated by using the high-speed computing ability of the sender-end de- 
vice 100. 

Specifically, when the present embodiment is based on Em- 
bodiments 1 and 4, the storage medium 500 with computing capability 
calculates the following from a plaintext m: 

m' = m a (<E G) 

Using the resultant m', the sender-end device 100 calculates a ciphertext, 
according to: 

C = m'g r , D = h r (E G) 

When the present embodiment is based on Embodiments 2 and 5, 
the storage medium 500 with computing capability calculates the follow- 
ing from a plaintext m: 



C = m'g r mod n, D = h r mod n 
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Using the resultant m', the sender-end device 100 calculates a ciphertext, 
according to: 



5 C = m'g r mod n, D = h r mod n 



When the present embodiment is based on Embodiment 7, the 
storage medium 500 with computing capability calculates the following 

ilSta. 

from a plaintext m: 

I 10 

fy m ' i = mi 2 ° mod n 

CP 

O Using the resultant m', the sender-end device 100 calculates a ciphertext, 

iU according to: 

C = m' ! g r * mod n, D = h r mod n 



When the present embodiment is based on Embodiments 8 and 9, 
the storage medium 500 with computing capability calculates the follow- 
20 ing from a plaintext m: 



m' i = mi' a mod n 
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Using the resultant m', the sender-end device 100 calculates a ciphertext, 
according to: 



C = rn'i g F(ml) mod n, D = h F(ml) mod n 



In the foregoing embodiments, by selecting a great value of d 
(d =S 1) in the range that factoring n into primer numbers is difficult to 
solve, the bit count of p becomes small if the bit count of n is constant 
and thus high-speed decryption processing can be performed. If d is an 
odd number and d > 1, the processing efficiency can be still more im- 
proved. 

If the value of d is put under the management of the third 
party's device or the receiver-end device, it can be varied, according to 
further development of the computer ability and relation between the 
computation time required for factorization into prime numbers and the 
safety. 

Preprocessing is possible for the calculations that do not relate 
to the data to send m to be encrypted, but being involved in the foregoing 
embodiments, such as: 

%\ h r (e G) 
or 

g r mod n, h r mod n 

It is advisable to execute these calculations in advance and store the re- 
sultant values into the storage means (such as the memory 102) of the 
sender-end device 100. By reading these values when they are used, the 
time required for encryption can be reduced drastically. 

When such preprocessing is performed, the number of modular 
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products during the process for the data to send m becomes one. There- 
fore, the time required for encryption can be reduced drastically. 

As the data to send m in the foregoing embodiments, besides an 
ordinary message that the sender wants to send in secret, a common key 
for use in the common key cryptographic method, a message to be used 
for message authentication and a message authenticator in combination 
are applicable. 

Although the typical form of cryptographic communication be- 
tween the sender working the sender's device and the receiver working 
the receiver's device was discussed in the present embodiments, practi- 
cally, the invention may be applied to various types of systems. 

Although the typical form of cryptographic communication be- 
tween the sender working the sender's device and the receiver working 
the receiver's device was discussed in the foregoing embodiments, prac- 
tically, the invention may be applied to various types of systems. 

For example, in an electronic shopping system, the sender is a 
user, the sender-end device is a computer such as a personal computer, 
the receiver is a retail shop, and the receiver-end device is a computer 
such as a personal computer. In this case, the user's order for a com- 
modity is often encrypted by the common key cryptographic method. For 
such key encryption, the key-sharing (key distribution) method according 
to the present invention may be used and the encrypted key is sent to the 
computer on the retail shop end. 

Another application example is an E-mail system wherein the 
sender and receiver devices are computers such as personal computers 
and the sender's message is often encrypted by the common key crypto- 



graphic method. In this case, similarly, the key-sharing (key distribu- 
tion) method according to the present invention may be used for key en- 
cryption and the encrypted key is sent to the receiver's computer. 

For other diverse systems for which conventional public-key 
cryptography is used, the present invention is applicable. 

The above description assumes that all calculations in the pre- 
sent embodiments are executed in the way that the CPU executes the pro- 
gram instructions stored in the memory. However, an alternative may be 
adopted such that at least one arithmetic unit of LSI or other hardware is 
installed to operate instead of programs and transfer data to/from other 
arithmetic units and the CPU. 

Industrial Applicability 

In accordance with the present invention, a public-key encryp- 
tion method that is secure against ciphertext attacks and enables high- 
speed processing and its variety of applications can be provided. 
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Claims 

1. A public-key encryption method for data transmitted between a sender 
who encrypts data to send with a public key and a receiver who decrypts 
the data encrypted and delivered to the receiver with a secret key corre- 
sponding to said public key, said public-key encryption method compris- 
ing: 

(a) a key generation step which the receiver conducts by work- 
ing the receiver-end device, according to a procedure comprising: 

generating a secret key (H, s, a" 1 ) consisting of elements H, s, 
and a" 1 , where: 

- H is a subgroup of G; 

- s e Z, gh 3 = 1 (G G); 

- a" 1 e Z, 

(wherein a" 1 is the inverse element of a in a ring modulo order of the fi- 
nite group H) 

and 

generating a public key (G, H', g, h, a) consisting of elements G, 
H', g, h, and a, where: 

- G is a finite Abelian group; 

- H' is a subgroup of H; 

- g, h G G; 

- a e z,a 
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(b) encryption which the sender conducts by working the 
sender-end device, according to a procedure comprising: 

calculating the following equations with regard to a plaintext m 
5 (€E H') and a random number r: 

C = m a g r , D = h r (e G) 

sfi calculating additional data a which ensures that a ciphertext is 

y3 10 uniquely decrypted to its plaintext; 

j"U composing a ciphertext (C, D, a) from the obtained C, D, and a; 

yl and 

D sending the ciphertext (C, D, a) to said receiver, 

0 15 (c) decryption which said receiver conducts by working said re- 

Is™: 

ceiver-end device, according to a procedure comprising: 

calculating the following equation from the ciphertext (C, D, a), 
using the elements of (s, a" 1 ) of said secret key: 

20 m = (CD 3 ) 0 " 1 (£ H) 

and 

calculating the original plaintext m from the additional data a. 



25 



2. A public-key encryption method for data transmitted between a sender 
who encrypts data to send with a public key and a receiver who decrypts 



4 0 



the data encrypted and delivered to the receiver with a secret key corre- 
sponding to said public key, said public-key encryption method compris- 
ing: 

(a) a key generation step which the receiver conducts by work- 
5 ing the receiver-end device, according to a procedure comprising: 

generating a secret key (p, q, s, p) consisting of elements p, q, 
s, and p\ where: 

- p and q are prime numbers, p s 3 (mod 4), q s 3 (mod 4); 
10 - s G Z, gh 3 = 1 (mod pq); 

- p G Z, ap* s 1 (mod 1cm (p - 1, q - 1)), 



rjj generating a public key (n, g, h, k, 1, a) consisting of elements 

Q 15 n, g, h, k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 (E Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

20 (b) encryption which the sender conducts by working the 

sender-end device, according to a procedure comprising: 

calculating the following equations with regard to a plaintext m 
(0 < m < 2 k " 2 ) and a random number r (0 ^ r S 1): 



25 C = m 2a g r mod n, D = h r mod n 
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calculating a Jacobi symbol a = (m/n); and 
sending the ciphertext (C, D, a) to said receiver, 

(c) decryption which said receiver conducts by working said re- 
ceiver-end device, according to a procedure comprising: 

calculating the following from the ciphertext (C, D, a), using 

said secrete key (p, q, s, P): 
m liP = (CD*) * raodp, 
m lt4 = (CD 3 )^ mod 9 



Si and 

10 finding one that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 

p from among <t> (m i, p , m q ), 0 (-m ], p , m t> q ), 0 (m j, p , -m i, q ), 0 (-m i, p , 

bj -m I; q ) and determining the one as the plaintext m (where <j> represents 

p-i ring isomorphism mapping from Z/(p) x Z (q) to Z/ (pq) according to 

Chinese remainder theorem). 

15 

3. The public-key encryption method as recited in claim 2, further com- 
prising: 

a step that said sender composes said plaintext m including 
check data for verifying the recovery of true information by decryption 
20 in addition to a message text which must be transmitted to said receiver. 



4. The public-key encryption method as recited in claim 3, further com- 
prising: 

a step that said sender composes said plaintext m including a 



predetermined redundant text in addition to a message text which must be 
transmitted to said receiver before encrypting the text in accordance with 
the procedure set forth in claim 1; and 

a step that said receiver verifies that the predetermined redun- 
dant text exists when performing decryption to recover the plaintext m in 
accordance with the procedure set forth in claim 1. 

5. The public-key encryption method as recited in claim 3, further com- 
prising: 

a step that said composes said plaintext m including a prede- 
termined redundant text in addition to a message text which must be 
transmitted to said receiver before encrypting the text in accordance with 
the procedure set forth in claim 2; and 

a step that said receiver verifies that the predetermined redun- 
dant text exists when performing decryption to recover the plaintext m in 
accordance with the procedure set forth in claim 2. 

6. The public-key encryption method as recited in claim 2, wherein: 

a random function H is made public; and 

said sender works the sender-end device to conduct: 

generating random number data; 

executing calculation for the random number data by exclusive 
OR and data coherence; 

assigning a result obtained from the calculation to the random 
function H, calculating the random function and obtaining a result from 
the random function H; 
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executing calculation for the random number data and the result 
from the random function H by exclusive OR and data coherence; 

replacing the random number r mentioned in claim 2 by a result 
obtained from this calculation; and 

executing encryption, according to the encryption procedure in 
the public-key encryption method set forth in claim 2. 

7. A public-key decryption method for decrypting a ciphertext encrypted 
in accordance with the method of claim 6, comprising the steps of: 

carrying out the decryption procedure in the public-key encryp- 
tion method set forth in claim 2; 

verifying the validity of the calculation procedure by exclusive 
OR and data coherence executed as set forth in claim 6; and 

outputting the result of decryption. 

8. A public-key encryption method for data transmitted between a sender 
who encrypts data to send with a public key and a receiver who decrypts 
the data encrypted and delivered to the receiver with a secret key corre- 
sponding to said public key, said public-key encryption method compris- 
ing: 

(a) a key generation step which the receiver conducts by work- 
ing the receiver-end device, according to a procedure comprising: 

generating a secret key (p, q, P) consisting of elements p, q, 
and p, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 



- p e Z, = 1 (mod 1cm (p - 1, q - 1)), 

and 

generating a public key (n, k, a) consisting of elements n, k, 
and a (k is the bit length of pq), where: 

- a, k £ Z; 

- n = p d q (where d is an odd number), 

(b) encryption which the sender conducts by working the 
sender-end device, according to a procedure comprising: 

calculating the following equation with regard to a plaintext m 
(0 < m < 2 k - 2 ): 

mi = (m0 kl © G (r)) ||(r © H (m0 kl © G(r))) (0 < mi < 2 k ' 2 ) 

(where G: {0, l} k0 - {0, 1}" , H: {0, 1}" - {0, l} k0 are suitable random 

functions, subject to k = n + k 0 +2) 

calculating a Jacobi symbol a = (m a /n) and the following equa- 
tion: 

C = mi 2a mod n 
and 

sending the ciphertext (C, a) to said receiver, 
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(c) decryption which said receiver conducts by working said re- 



ceiver-end device, according to a procedure comprising: 



calculating the following from the ciphertext (C, a), using said 



secrete key (p 




m 1>q ~ C * mod g 

finding x that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 from 
among <j> (m i, p , m q ), <p (-m j, p , m q ), <p (m p , -m q ), 4> (-m u p , -m 1; 
q ) and determining the x as m'i (where <p represents ring isomorphism 
mapping from Z/(p) x Z (q) to Z/ (pq) according to Chinese remainder 
theorem); and 

calculating the following, assuming m'i = s'||t' (where s' is up- 
per n bits of m'i and t' is lower k 0 bits thereof): 



(where [a] n and [a] n represent upper n bits and lower n bits of the a, re- 
spectively. An asterisk (*) as the result of decryption denotes that de- 
cryption is unsuccessful.) 





. otherwise 



thereby obtaining the result of decryption. 



9. A public-key encryption method for data transmitted between a sender 
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who encrypts data to send with a public key and a receiver who decrypts 
the data encrypted and delivered to the receiver with a secret key corre- 
sponding to said public key, said public-key encryption method compris- 
ing: 

(a) a key generation step which the receiver conducts by work- 
ing the receiver-end device, according to a procedure comprising: 

generating a secret key (p, q, s, |3) consisting of elements p, q, 
s, and p, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s G Z, gh 3 e 1 (mod pq); 

- p £ Z, ap = 1 (mod 1cm (p - 1, q - 1)), 

and 

generating a public key (n, g, h, k, 1, a) consisting of elements 
n, g, h, k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 e Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

(b) encryption which the sender conducts by working the 
sender-end device, according to a procedure comprising: 

calculating the following equation with regard to a plaintext m 
(0 < m < 2 k_1 ) and a random number r' (0 ^ r' ^ 1): 

mi = (m0 kl © G (r)) ||(r © H (m0 kl © G(r))) (0 < m a < 2 k " 2 ) 
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(where G: {0, l} k0 {0, l} n , H: {0, l} n {0, l} k0 are suitable random 
functions, subject to k = n + k 0 +2) 

calculating a Jacobi symbol a = (mx/n) and the following equa- 

5 tions: 

C = mi 2ct g r mod n, D = h r mod n 
and 

10 sending the ciphertext (C, D, a) to said receiver, 



|p (c) decryption which said receiver conducts by working said re- 

q ceiver-end device, according to a procedure comprising: 

fU calculating the following from the ciphertext (C, D, a), using 

15 said secrete key (p, q, s, 



C = mi 2ct g r mod n, D = h r mod n 

finding x that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 from 
20 among <p (m i, p , m u q ), <p (-m p , m ,), <p (m p , -m q ), <p (-m i, p , -m ]; 
q ) and determining the x as rn'i (where <f> represents ring isomorphism 
mapping from Z/(p) x Z (q) to Z/ (pq) according to Chinese remainder 
theorem); and 

calculating the following, assuming m') = s'||t' (where s' is up- 
25 per n bits of rn'i and t' is lower k 0 bits thereof): 
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, |V © G{f ® H{s'))] n ~ kl if W ® G ( tf © H (*0)]*i = O* 1 

lib \ 

* otherwise 

(where [a] n and [a] n represent upper n bits and lower n bits of the a, re- 
spectively. An asterisk (*) as the result of decryption denotes that de- 
cryption is unsuccessful.) 

5 

thereby obtaining the result of decryption. 

10. A public-key encryption method for data transmitted between a 
sender who encrypts data to send with a public key and a receiver who 
10 decrypts the data encrypted and delivered to the receiver with a secret 
key corresponding to said public key, said public-key encryption method 
comprising: 

(a) a key generation step which the receiver conducts by work- 
ing the receiver-end device, according to a procedure comprising: 
15 generating a secret key (p, q, s, |3) consisting of elements p, q, 

s, and p, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s G Z, gh 3 e 1 (mod pq); 

20 - p G Z, = 1 (mod 1cm (p - 1, q - 1)), 

and 

generating a public key (n, g, h, k, 1, a) consisting of elements 
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n, g, h, k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 £ Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

(b) encryption which the sender conducts by working the 
sender-end device, according to a procedure comprising: 

calculating the following equation with regard to a plaintext m 
(0 < m < 2 n ): 

m, = (m 0 G (r)) ||(r © H (m © G(r))) (0 < mj < 2 k " 2 ) 

(where G: {0, l} k0 -* {0, 1}" , H: {0, 1}" {0, l} k0 are suitable random 
functions, subject to k = n + k 0 + 2) 

calculating a Jacobi symbol a = (rn^/n) and the following equa- 
tions: 

C = mf" g F(ml) mod n, D = h F(ml) mod n ' 

(where F: {0, l} n + k0 -» {0, l} 1 is a suitable random function) 
and 

sending the ciphertext (C, D, a) to said receiver, 



(c) decryption which said receiver conducts by working said re- 
ceiver-end device, according to a procedure comprising: 

calculating the following from the ciphertext (C, D, a), using 
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said secrete key (p, q, s, P): 




finding x that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 from 



among <f> (m p , m u q ), $ (-m p , m I; q ), 0 (m p , -m u q ), (j> (-m p , -m u 
q ) and determining the x as m'! (where <p represents ring isomorphism 
mapping from Z/(p) x Z (q) to Z/ (pq) according to Chinese remainder 
theorem); and 

calculating the following, assuming rn'i = s'||t' (where s' is up- 
per n bits of rn'i and t' is lower k 0 bits thereof): 



and [a] n and [a] n represent upper n bits and lower n bits of the a, respec- 
tively. An asterisk (*) as the result of decryption denotes that decryp- 
tion is unsuccessful.) 





otherwise 



(where, C and D' are obtained by: 



C = m' 1 2a g F(m ' 1) mod n, D' = h F(m,1 > mod n 



thereby obtaining the result of decryption. 



11. The public-key encryption method as recited in claim 10, wherein: 
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said receiver works said receiver-end device to calculate the 
following: 

C'p = m'r" g F < m,1 > mod p d C' q = m'r" g F(m ' 1} mod q 
D'p = h F(n,,1) mod p d D' q = h FCm,1) mod q 

and verify that (C, D) = (C, D'), pursuant to: 

C b C'p (mod p d ) C = C' q (mod q) 
D ■ D' p (mod p d ) D = D' q (mod q) 

12. A public-key encryption method for data transmitted between a 
sender who encrypts data to send with a public key and a receiver who 
decrypts the data encrypted and delivered to the receiver with a secret 
key corresponding to said public key, said public-key encryption method 
comprising: 

(a) a key generation step which the receiver conducts by work- 
ing the receiver-end device, according to a procedure comprising: 

generating a secret key (p, q, s, P) consisting of elements p, q, 
s, and p, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s G Z, gh 3 s 1 (mod pq); 

- p G Z, cxp s 1 (mod 1cm (p - 1, q - 1)), 



and 



generating a public key (n, g, h, k, 1, a) consisting of elements 
n, g, h, k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 G Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

(b) encryption which the sender conducts by working the 
sender-end device, according to a procedure comprising: 

selecting a random number r (0 < r <2 k0 ) with regard to a 
plaintext m (0 < m < 2 n ); 

calculating the following: 

mi = m || r 

(where F: {0, l} n + k0 -> {0, l} 1 is a suitable random function, subject to k 
= n + k 0 +2) 

calculating a Jacobi symbol a = (mj/n) and the following equa- 
tions: 

C = mi 2a g F(ml) mod n, D = h F(ml) mod n 
and 

sending the ciphertext (C, D, a) to said receiver, 

(c) decryption which said receiver conducts by working said re- 
ceiver-end device, according to a procedure comprising: 

calculating the following from the ciphertext (C, D, a), using 
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ru 



10 



said secrete key (p, q, s, p"): 



m u = (CD*) 'mod? 



finding x that fulfills conditions (x/n) = a and 0 < x < 2 k ~ 2 from 
among 0 (m p , m q ), <j> (-m p , m q ), 0 (m u p , -m i, q ), 0 (-m i, p , -m i, 
q ) and determining the x as m'i (where <p represents ring isomorphism 
mapping from Z/(p) x Z (q) to Z/ (pq) according to Chinese remainder 
theorem); and 

calculating the following: 



i — < 

I * otherwis 



m' = < 

otherwise 



(where, C and D' are obtained by: 

C = m' a 2a g F(m,1) mod n ; D' = h F(n,,1) mod n 

and [a] n and [a] n represent upper n bits and lower n bits of the a, respec- 
15 tively. An asterisk (*) as the result of decryption denotes that decryp- 
tion is unsuccessful.) 



thereby obtaining the result of decryption. 



20 



13. The public-key encryption method as recited in claim 12, wherein: 

said receiver works said receiver-end device to calculate the 



following: 



C'p = m'r° g F(m,1) mod p d C\ = m' 1 2a g F(m ' 1) mod q 
D' p = h F(m,1) mod p d D' q = h F(m,1) mod q 

and verify that (C, D) = (C, D'), pursuant to: 

C s C'p (mod p d ) C b C\ (mod q) 
D = D'p (mod p d ) D s D' q (mod q) 

14. A cryptographic communications system comprising a sender-end 
device and a receiver-end device, said sender-end device having means 
for encrypting data to send with a public key, said receiver-end device 
having means for decrypting said data encrypted and delivered thereto 
with a secret key corresponding to said public key, said cryptographic 
communications system arranged such that: 

said receiver-end device is equipped with: 

secrete key generating means for generating a secret key (p, q, 
s, P) consisting of elements p, q, s, and p, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s £ Z, gh 3 £ 1 (mod pq); 

- p £ Z, a|3 = 1 (mod 1cm (p - 1, q - 1)), 

and 

public key generating means for generating a public key (n, g, 



h, k, 1, a) consisting of elements n, g, h, k, 1, and a (k is the bit length 
of pq) where: 

- a, g, h, k, 1 e Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

said sender-end device is equipped with: 

means for calculating the following equations with regard to a 
plaintext m (0 < m < 2 k " 2 ) and a random number r (0 r 1): 

C = m 2a g r mod n, D = h r mod n 

means for calculating a Jacobi symbol a = (m/n) and sending 

the ciphertext (C, D, a) to said receiver, 

said receiver-end device is further equipped with: 

means for calculating the following from the ciphertext (C, D, 

a), using said secrete key (p, q, s, P) 

m liP = {CD")^ mod p, 
m lq = (CD 3 ) * modg 

and 

means for finding one that fulfills conditions (x/n) = a and 0 < 
x < 2 k " 2 from among <p (m i, p , m t , q ), <p (-m u p , m u q ), 0 (m i, p , -m i, q ), (j> 
(-m p , -m i, q ) (where <p represents ring isomorphism mapping from Z/(p) 
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x Z (q) to Z/ (pq) according to Chinese remainder theorem) and output- 
ting the one as the plaintext m. 

15. A medium having a program stored thereto, said program to be 
loaded into both a sender-end computer which encrypts data to send with 
a public key and a receiver-end computer which decrypts said data once 
encrypted and delivered thereto with a secret key corresponding to said 
public key, said program comprising: 

(a) instructions making said receiver-end device perform a key 
generation step comprising: 

generating a secret key (p, q, s, p") consisting of elements p, q, 

s, and P, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s E Z, gh 3 - 1 (mod pq); . 

- P e Z, aP s 1 (mod 1cm (p - 1, q - 1)), 

and 

generating a public key (n, g, h, k, 1, a) consisting of elements 
n, g, h, k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 e Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

(b) instructions making said sender-end device perform encryp- 
tion comprising: 
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calculating the following equations with regard to a plaintext m 
(0 < m < 2 k " 2 ) and a random number r (0 ^ r ^ 1): 

C = m 2o g r mod n, D = h r mod n 

calculating a Jacobi symbol a = (m/n) and 
sending the ciphertext (C, D, a) to said receiver, 

(c) instructions making said receiver-end device perform de- 
cryption comprising: 

calculating the following from the ciphertext (C, D, a), using 
said secrete key (p, q, s, p) 



mi tP = [CD a ) ei£ ^ 1 mod p, 



and 

finding one that fulfills conditions (x/n) = a and 0 < x < 2 k " 2 
from among <f> (m u p , m u q ), <p (-m i, p , m u q ), 0 (m 1; p , -m i, q ), 0 (-m i, p , 
-m i, q ) (where <j> represents ring isomorphism mapping from Z/(p) x Z (q) 
to Z/ (pq) according to Chinese remainder theorem) and outputting the 
one as the plaintext m. 



16. A sender-end device to be used in a cryptographic communications 
system in which data to send is encrypted with a public key correspond- 
ing to a secret key registered on a receiver-end device and the receiver- 
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end device decrypts the data encrypted and delivered thereto, said 
sender-end device configured so as to be equipped with: 

means for calculating the following equations with regard to a 
plaintext m (0 < m < 2 k " 2 ) and a random number r (0 S r S 1): 

C = m 2a g r mod n, D = h r mod n 

through the use of a public key (n, g, h, k, 1, a) consisting of 
elements n, g, h, k, 1, and a (k is the bit length of pq) where: 

- a, g, h, k, 1 £ Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

the public key corresponding to a secret key (p, q, s, P) con- 
sisting of elements p, q, s, and |3, which has been generated by said re- 
ceiver-end device, where: 

- p and q are prime numbers, p b 3 (mod 4), q = 3 (mod 4); 

- s G Z, gh 3 m 1 (mod pq); 

- £ e Z, aP s 1 (mod 1cm (p - 1, q - 1)), 

means for calculating a Jacobi symbol a = (m/n) to compose a 
ciphertext (C, D, a); and 

means for sending the ciphertext (C, D, a) to said receiver-end 

device. 
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17. A receiver-end device to be used in a cryptographic communications 
system in which said receiver-end device decrypts data encrypted with a 
public key by a sender-end device and delivered thereto, said public key 
corresponding to a secret key, said receiver-end device configured so as 
to be equipped with: 

secrete key generating means for generating a secret key (p, q, 
s, P) consisting of elements p, q, s, and |3, where: 

- p and q are prime numbers, p = 3 (mod 4), q = 3 (mod 4); 

- s G Z, gh 3 = 1 (mod pq); 

- p <E Z, a$ = 1 (mod 1cm (p - 1, q - 1)), 

public key generating means for generating a public key (n, g, 
h, k, 1, a) consisting of elements n, g, h, k, 1, and a (k is the bit length 
of pq) where: 

- a, g, h, k, 1 €E Z (0 < g, h < n); 

- n = p d q (where d is an odd number), 

means for receiving a ciphertext (C, D, a) consisting of ele- 
ments C, D, and a that said sender-end device has generated by calculat- 
ing the following equations with regard to a plaintext m (0 < m < 2 k ~ 2 ) 
and a random number r (0 £s r ^ 1), using said public key (n, g, h, k, 1, 
a): 



C = m 2a g r mod n, D = h r mod n 



6 0 



and by calculating a Jacobi symbol a = (m/n) 



means for calculating the following from the ciphertext (C, D, 
a), using said secrete key (p, q, s, (5): 



mj,„ = (CD*) * modp, 
m lf<r = (CD 3 )^"^ mod g 



and 

means for finding one that fulfills conditions (x/n) = a and 0 < 
x < 2 k " 2 from among <j> (m p , m q ), <f> (-m u p , m lt q ), <p (m lt p , -m q ), <p 
(-m i, p , -m i, q ) (where <p represents ring isomorphism mapping from Z/(p) 
x Z/(q) to Z/ (pq) according to Chinese remainder theorem) and output- 
ting the one as the plaintext m. 



Abstract 



A method for cryptographic communications by public-key en- 
cryption is disclosed in which a sender generates a ciphertext, using a 
public key of a receiver, by the internal operation of the sender-end de- 
vice 100, and transmits the ciphertext to the receiver-end device 200 
over a network 300 and the receiver decrypts the ciphertext with the re- 
ceiver's secret key. In accordance with this method, the procedures for 
encryption and decryption are set up, providing for both security features 
of the Rabin's Cryptosystem and the ElGamal's Cryptosystem. The fea- 
ture of the former is one-way against chosen plaintext attacks, presup- 
posing the difficulty of solving the problem of factorization into prime 
factors; the feature of the latter is indistinguishability, namely strong 
protection of secrecy against chosen plaintext attacks, presupposing the 
difficulty of solving the Diff ie-Hallman decision problem. Moreover, 
with the aim of using a common key cryptogram for key distribution, the 
size of plaintext space is reduced, while true plaintext space keeping se- 
cret. In this way, a public-key encryption method that can prove security, 
presupposing that the underlying problem is more difficult to solve than 
the problems employed in the previous cryptosystems, and that enables 
highly efficient processing in the calculation for encryption/decryption 
as well as a key-sharing method based on the above method are provided. 
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it) Tir. 



SflFteTp2©fA©J£€©1£tefEf£c*ti.fc ; My residence, post office address and citizenship are as stated 

next to my name. 



I believe I am the original, first and sole inventor (if only one 
name is listed below) or an original, first and joint inventor (if plural 
names are listed below) of the subject matter which is claimed 
and for which a patent is sought on the invention entitled 

PUBLIC-KEY ENCRYPTION AND KEY-SHARING METHODS 



The specification of which is attached hereto unless the following 
box is checked: 



iU 



mnmm&fg 37111^5 6 mzitrnzn* t& 



was filed on 28/January/ 2000 
as United States Application Number or 
PCT International Application Number 
PCT/JP00/0047S and was amended on 
(if applicable). 

I hereby state that I have reviewed and understand the contents of 
the above identified specification, including the claims, as 
amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to 
patentability as defined in Title 37, Code of Federal Regulations, 
Section 1 .56. 
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Prior Foreign Application(s) 
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(Number) (Country) 
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11-239177 Japan 

(Number) (Country) 
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I hereby claim foreign priority under Title 35, United States Code, 
Section 119 (a)-(d) or 365(b) of any foreign application® for 
patent or inventor's certificate, or 365(a) of any PCT international 
application which designated at least one country other than the 
United States, listed below and have also identified below, by 
checking the box, any foreign application for patent or inventor's 
certificate, or PCT International application having a filing date 
before that of the application on which priority is claimed. 

Priority Not Claimed 

29/January/1999 ,— , 

(Day/Month/Year Filed) L 1 

(tam^-n b) 

26/August/1999 

(Day/Month/Year Filed) LJ 
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I hereby claim the benefit under Title 35, United States Code, 
Section 119(e) of any United States provisional application(s) 
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(Application No.) (Filing Date) 
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I hereby claim the benefit under Title 35, United States Code, 
Section 1 20 of any United States application(s), or 365(c) of any 
PCT international application designating the United States, 
listed below and, insofar as the subject matter of each of the 
claims of this application is not disclosed in the prior United 
States or PCT International application in the manner 
provided by the first paragraph of Title 35, United States Code 
Section 112, I acknowledge the duty to disclose information 
which is material to patentability as defined in Title 37, Code of 
Federal Regulations, Section 1.56 which became available 
between the filing date of the prior application and the national 
or PCT international filing date of application. 



(Application No.) (Filing Date) (Status: Patented, Pending, Abandoned) 



(Application No.) (Filing Date) (Status: Patented, Pending, Abandoned) 
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I hereby declare that all statements made herein of my own 
knowledge are true and that all statements made on 
information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful 
false statements and the like so made are punishable by fine 
or imprisonment, or both, under Section 1001 of Title 1 8 of the 
United States Code and that such willful false statements may 
jeopardize the validity of the application or any patent issued 
thereon. 
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POWER OF ATTORNEY: As a named inventor, I hereby 
appoint the following attorney(s) and/or agent(s) to prosecute this 
application and transact all business in the Patent and Trademark 
Office connected therewith (list name and registration number) 



Donald R. Antonelli, Reg. No. 20,296; David T. Terry, Reg. No. 
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en 


Inventor's signature ~~ Date June 2 g 2QQ 

a i/j / o ft \>a n h,'.)Hid £A 


&m 




Residence 

Kawasaki, Japan v J^H^_ 


mm 




utizenship 
Japan 






Post Office Address 

c/o Hitachi, Ltd., Intellectual Property Group 
New Marunouchi Bldg. 5-1, Marunouchi 1-chome, 
Chiyoda-ku, Tokyo 100-8220, Japan 
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